IBM Cloud Docs
Managing edge certificates

Managing edge certificates

IBM Cloud® Internet Services offers three types of edge certificates: Universal, Advanced, and Custom.

Universal certificates

By default, CIS issues free, unshared, publicly trusted SSL certificates to all domains added on CIS. For these Universal certificates, CIS controls the validity periods and certificate authorities (CAs), making sure that renewals always occur. Universal certificates that are issued by Let's Encrypt or Google Trust Services have a 90-day validity period.

CIS can change the CA of Universal certificates without prior notice, and will not notify you of these changes. If you prefer to select your own issuing certificate authority, order an advanced certificate.

Advanced certificates

Advanced certificates offer a flexible and customizable way to issue and manage certificates. Use advanced certificates when you want something more customizable than Universal SSL but still want the convenience of SSL certificate issuance and renewal.

Advanced certificates are ordered directly through CIS.

Certificate validity and renewal periods for Universal and Advanced certificates

Universal certificates are always valid for 90 days and are renewed automatically 30 days before expiration.

By using Advanced certificates, you can select the validity and auto-renewal dates as shown in the following table.

CIS certificate validity periods
Certificate validity period Auto renewal period Details
3 months 30 days
1 month 7 days Not supported by Let's Encrypt
2 weeks 3 days Not supported by Let's Encrypt

Renewal periods are automated on the back end, and are not customizable.

Backup certificates

If CIS is providing authoritative DNS for your domain, CIS will issue a backup Universal SSL certificate for every standard Universal certificate issued.

Backup certificates are wrapped with a different private key and issued from a different Certificate Authority — either Google Trust Services, Let’s Encrypt, Sectigo, or SSL.com — than your domain’s primary Universal SSL certificate.

These backup certificates are not normally deployed, but they will be deployed automatically by CIS in the event of a certificate revocation or key compromise.

Certificate authorities

For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). The following CAs are available for selection in CIS:

  • Let's Encrypt
  • Google Trust Services
  • SSL.com
    • Supports validity periods of 14, 30, and 90 days
      • 1-year validity period is available to Enterprise customers
    • DCV tokens are valid for 14 days
    • Compatibility documentation
  • DigiCert deprecated
  • Sectigo
    • Used only for backup certificates when CIS is providing authoritative DNS for your domain
    • Supports validity periods of 90 days
    • Compatibility documentation

Custom certificates

Custom certificates are for customers who want to use their own SSL certificates. You upload these certificates to CIS.

Unlike Universal or Advanced certificates, CIS does not manage the issuance or renewal for custom certificates. You are responsible for uploading, updating, and tracking the expiration dates of your custom certificates.

Failure to renew and certificate replacement

For certificates managed by CIS, renewal attempts begin at the auto renewal period and continue until 24 hours before the expiration. If a certificate fails to renew and another valid certificate exists for the hostname, CIS deploys the valid certificate within these last 24 hours.

CAA records

A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.

The following table lists the CAA record content for each CA:

CAA record content for each CA
Certificate authority CAA record content
Let's Encrypt letsencrypt.org
Google Trust Services pki.goog; cansignhttpexchanges=yes
SSL.com ssl.com
DigiCert digicert.com; cansignhttpexchanges=yes
Sectigo sectigo.com

Certificate statuses

Each certificate status describes where in the issuance process you are, and can vary depending on the type of certificate.

New certificate statuses

When you order a new certificate, whether it's an edge certificate or a certificate that is used for a custom hostname, its status moves through various stages as it progresses to the global network.

  1. Initializing
  2. Pending Validation
  3. Pending Issuance
  4. Pending Deployment
  5. Active

After you issue a certificate, it moves to Pending Validation, and changes to Active after the validation is completed. If you see any errors, you might need to take more actions to validate the certificate.

If you deactivate a certificate, it moves to Deactivating and then Inactive status.

Custom certificate statuses

When you use a custom certificate and your zone status is Pending or Moved, your certificate might have a status of Holding Deployment.

When your zone becomes active, your custom certificate deploys automatically and changes to an Active status. However, if your zone is already active when you upload a custom certificate, you do not see this status.

Staging certificate statuses

When you create certificates in your staging environment, those staging certificates have their own set of statuses.

  • Staging deployment: Similar to Pending Deployment, but for staging certificates.
  • Staging active: Similar to Active, but for staging certificates.
  • Deactivating: Your staging certificate is in the process of becoming Inactive.
  • Inactive: Your staging certificate is not at the edge, but you can deploy it if needed.

Client certificate statuses

When you use client certificates, those client certificates have their own set of statuses:

  • Active: The client certificate is active.
  • Revoked: The client certificate is revoked.
  • Pending Reactivation: The client certificate was revoked, but is being restored.
  • Pending Revocation: The client certificate was active, but is being revoked.